Issues in Routing Security - Columbia Universitysmb/talks/routesec-dimacs.pdfSpammers (though...
Transcript of Issues in Routing Security - Columbia Universitysmb/talks/routesec-dimacs.pdfSpammers (though...
1 / 32
Issues in Routing Security
Steven M. Bellovinhttp://www.cs.columbia.edu/~smb
Columbia University
March 24, 2008
Introduction
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
2 / 32
What is Routing Security?
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
3 / 32
■ Bad guys play games with routing protocols.■ Traffic is diverted.
◆ Enemy can see the traffic.◆ Enemy can perform traffic analysis.◆ Enemy can easily modify the traffic.◆ Enemy can drop the traffic.◆ Enemy can steal prefixes
■ End-to-end cryptography can mitigate theeffects, but not stop them.
Why is this Threat Different?
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
4 / 32
■ Most communications security failures happenbecause of buggy code or broken protocols.
■ Routing security failures happen despite goodcode and functioning protocols. The problemis a dishonest participant.
■ Hop-by-hop authentication isn’t sufficient.
The Attack
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
5 / 32
■ The attacker generates a false advertisement:an improper prefix, a fake AS path, etc.
■ The false advertisement has a lower metric forthat prefix than the legitimate path
■ The victim believes the fake path instead ofthe legitimate one, and routes some traffictowards the attacker
■ To reinject traffic — after inspecting ormodifying it — set up a tunnel to somewhereclose enough to the victim that it isn’t affectedby the fake route
The Attack
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
6 / 32
Y−>X: B{Y,W}
X
Y
Z
Site AY−>Z: B{Y,W}
W Site B
Z−>X: B{Z}
Z is lying, so the path through it looks shorter.
Who’s Launching Routing Attacks?
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
7 / 32
■ Spammers (though they’ve mostly switched tobots of late)
■ DoSers — vandals, extortionists, etc.■ Industrial spies■ Governments■ Sometimes it happens by accident
Spying on or Modifying Traffic
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
8 / 32
■ A lot of traffic that should be encrypted isn’t■ Most secure web pages are invoked via links
from unprotected pages■ The attacker can modify these — think
phishing on steroids■ (Who checks certificates?)■ Most email isn’t encrypted
Denial of Service
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
9 / 32
■ Attract traffic, but don’t forward it■ Better yet, forward most but not all of it■ Selectively drop TCP packets to slow things
down■ Selectively drop DNS packets■ But pings and traceroutes will show that
everything looks fine
Stealing Prefixes
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
10 / 32
■ Connect to a clueless ISP■ Claim you have PI space■ Start using your stolen (or black market, or
abandoned) prefixes■ Will someone three hops upstream check the
routing registry?
Traffic Analysis
IntroductionWhat is RoutingSecurity?
Why is this ThreatDifferent?
The Attack
The AttackWho’s LaunchingRouting Attacks?
Spying on orModifying Traffic
Denial of Service
Stealing Prefixes
Traffic Analysis
History
Current Status
Issues
11 / 32
■ See who is talking to whom■ Monitor connection length■ Doesn’t look at (possibly encrypted) content■ Frequently used by law enforcement and
intelligence agencies■ Very hard to disguise
History
Introduction
History
Earliest Mentions
DefensesThe InterdomainCase
Current Status
Issues
12 / 32
Earliest Mentions
Introduction
History
Earliest Mentions
DefensesThe InterdomainCase
Current Status
Issues
13 / 32
■ Radia Perlman’s dissertation: Network Layer
Protocols with Byzantine Robustness, 1988.■ Gregory Finn, Reducing the Vulnerability of
Dynamic Computer Networks, 1988.■ Steve Bellovin, “Security Security Problems in
the TCP/IP Protocol Suite”, 1989.■ Accidental routing problems were what got me
interested in Internet security in the firstplace. . .
Defenses
Introduction
History
Earliest Mentions
DefensesThe InterdomainCase
Current Status
Issues
14 / 32
■ A few early attempts in the mid-1990s■ Notable effort: RFC 2154 (Murphy, Badger,
and Wellington), 1997.■ Not taken seriously by most
The Interdomain Case
Introduction
History
Earliest Mentions
DefensesThe InterdomainCase
Current Status
Issues
15 / 32
■ AS 7007■ AT&T Worldnet taken off the air by a routing
error in 1999■ National Academies report Trust in Cyberspace
called routing one of the two ways to takedown the Internet
■ Pakistan Telecom versus YouTube■ Kenya versus Above.net
Current Status
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
16 / 32
NanoBGP Tutorial
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
17 / 32
■ An Autonomous System (AS) x emits a〈{ASx}, prefix〉 sequence
■ Neighboring AS hop y applies policy to decidewhich advertisements to accept or forward
■ It prepends its AS# and emit〈{ASy, ASx}, prefix〉
■ AS z emits 〈{ASz, ASy, ASx}, prefix〉■ AS path length is one possible policy to apply
Securing BGP
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
18 / 32
■ IRR■ SBGP (Kent et al.), 2000■ soBGP (Ng et al.), 2002■ Many more proposals since then
Internet Routing Registry
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
19 / 32
■ Register your prefixes■ Register your policies■ Filter incoming announcements against their
policies and what you know■ Strictly local; doesn’t deal with corruption
from more than one hop away
SBGP: Oversimplified Design
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
20 / 32
■ Digitally sign advertisements■ Receiving AS hops sign the entire signed path■ AS x emits a signed statement of the path it
announces to neighbor y:
〈ASx, prefix, y〉x
■ AS y sends to AS z:
〈ASy, 〈ASx, prefix, y〉x, z〉
y
■ Many signatures, many verifications
More Details
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
21 / 32
■ Each AS has a certificate for its AS #■ Each AS has a certificate for each of its
prefixes■ Prefix certificates can be obtained from an RIR
or an upstream AS that delegated addressspace
soBGP: Secure Origin BGP
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
22 / 32
■ Originating AS signs the prefix originationmessage:
〈ASx, prefix〉x
■ Policy certificates describe connectivity policies
■ Subsequent hops are not signed:
ASz, ASy, 〈ASx, prefix〉x
■ Fewer signatures and verifications; weakerprotection
Many Other Proposals
Introduction
History
Current Status
NanoBGP Tutorial
Securing BGP
Internet RoutingRegistry
SBGP:OversimplifiedDesign
More DetailssoBGP: SecureOrigin BGP
Many OtherProposals
Issues
23 / 32
■ Neither SBGP nor soBGP has been acceptedby the ISPs
■ Cost and deployability are among the reasons■ Many other proposals have been published■ None of these have gained much support,
either
Issues
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
24 / 32
Issues
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
25 / 32
■ Capital cost■ Operational cost■ Deployability■ Expertise needed■ Failure modes■ Data cleanliness■ Operability
Capital Cost
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
26 / 32
■ Routers will need to be upgraded to supportany of these schemes
■ Some (especially SBGP) will require cryptoaccelerators
■ New servers and databases must exist
Operational Cost
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
27 / 32
■ Each RIR must run a CA to assign prefixes■ Each ISP must run a CA to delegate prefixes■ Both must run a 24 × 7 help desk to handle
certificate issues
Deployability
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
28 / 32
■ What is the incentive for deployment?■ How do we deal with partial deployment,
within an AS or between ASs?■ How can an upgraded router tell that a path
should have been protected?■ When do we start reaping the benefits?
Expertise Needed
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
29 / 32
■ This is a new function for RIRs and ISPs■ Do they have the staff that understands the
issues?■ Is their staff trained to deal with failures in a
security mechanism?
Failure Modes
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
30 / 32
■ If a secured BGP message fails authenticationor authorization checks, the announcementmust be discarded
■ Failure modes include expired certificates orbogus CRL entries
■ Neighboring ISP can’t simply accept the baddata; the next hop will discard it
■ Securing BGP creates new ways to kicksomeone off the net
■ (Might certificates be revoked for politicalreasons? Think www.ciaocuba.com andwww.fitnathemovie.com)
Data Cleanliness and PKI
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
31 / 32
■ All proposals require authoritative knowledgeof who owns which prefixes and AS #s
■ Do we have such knowledge, especially for“swamp” space?
■ Who is authoritative? A hierarchical PKI?With what root?
■ Web of trust? What about collusion? Whoowns which AS?
Operability
Introduction
History
Current Status
Issues
Issues
Capital Cost
Operational Cost
Deployability
Expertise Needed
Failure ModesData Cleanliness andPKI
Operability
32 / 32
■ Is the cost of any such solution greater or lessthan the cost of cleaning up after occasionalmistakes and attacks?
■ Will security-induced denial of serviceaccidents impact more or fewer users thanaccidental or intentional prefix hijacks?
■ Is securing BGP a net benefit to the Internet,the ISPs, and the users?